Licensing policy

Overall licensing structure

The following table describes the overall licensing structure and deployment availability.

Number of licenses overtime

The number of licenses used can vary over time. The number of licenses required is the highest number of licenses used during the contract period.

Exceeding license

When a customer exceeds their license, Holm Security will consult the customer before the additional charge.

Unlimited number of activities

Each license includes an unlimited number of scans, simulations, and awareness trails.

Scanner Appliances require no licenses

Customers using System & Network Scanning and/or Web Application Scanning can use any number of Scanner Appliances forms where scanning can be carried out.

System & Network Scanning

Licensed per active IP

The product is licensed based on active IPs, meaning systems and computers that is placed in a TCP/IP network. A system can be a physical server and/or virtual machine. The following crtieria must be fullfilled for an asset to require a license:

• One or more TCP or UDP port open with an active service responding.
• The asset is active. 

The same server that has several IPs (multiple network interfaces), or both an IPv4 and IPv6 connected, will require one license. 

Example:
A physical server hosts 7 virtual machines. Each machine has one IPv4 and one IPv6 connected. All machines are actively running. Scanning all 7 machines will require 7 licenses. 

Device Agent licensed per installation

Licensing for Device Agent is based on the number of installations of the software in systems and computers, but a Device Agent doesn’t require an additional license if the system or computer has a license based on the IP.

Example:
Scanning a server from the outside using cloud scanners or Scanner Appliances requires one system or computer (static IP address) license connected to the IP address. A Device Agent installed in the same system or computer doesn’t require an additional license.

No additional licenses are required for policy scanning & authenticated scanning

Policy scanning and authenticated scanning require a standard license for System & Network Scanning, based on the IP. If a system is scanned using multiple methods, such as scanning from the outside, policy scanning, and authenticated scanning, it still only requires one license based on the IP.

Example:
An organization scans an IP using multiple scanning methods (scanning using cloud scanners, Scanner Appliance, policy scanning, and authenticated scanning), but only one license is needed for the product.

Web Application Scanning

License per URL/application

The product is licensed based on the number of unique web applications (or URLs) scanned. Each application scanned requires one unique license.

Example:
A web server hosts 5 web applications on separate URLs. To scan all 5 applications requires 5 licenses. If the customer scans the web server itself, this will also require a license for Systems & Network Scanning for the IP.

API Scanning

Licensed per interface

The product is licensed based on the number of unique APIs that are scanned. Each API scanned requires one unique license.

Phishing & Awareness Training

Licensed per user (email address)

The product is licensed based on the number of unique users that are included in phishing simulation and/or awareness training. A user is a unique individual, which should be equal to the number of unique email addresses.

Example:
A company has 5,000 employees that they target with phishing simulation and awareness training and 1,000 that are not targeted. The company requires 5,000 licenses for the product.

Combination with Device Agent

If using Device Agent, under the product System & Network Scanning, together with Phishing & Awareness Training, the user will be associated with the computer by identifying the user's email address. The customer will require one license for the computer (scanned using Device Agent) and one for the user.

Cloud Scanning

Cloud resource definition

A cloud resource is an object resource within a cloud service. For example, Bucket A in S3 (AWS) is a cloud resource, Instance X in EC2 (AWS) is a cloud resource, and instance Y is another cloud resource within the cloud service EC2 (AWS). The cloud resources that require a license are listed below.

Cloud service definition

A cloud service is for example EC2 or RDS (AWS).

Licensing based on cloud resources

The product is licensed based on the number of unique cloud resources used by a cloud vendor. 

Examples:
5 virtual machine instance resources (EC2) are provisioned within an AWS cloud account. To scan these 5 resources will require 5 licenses.

3 DB instances resources (RDS) are provisioned within an AWS cloud account. To scan these 3 resources will require 3 licenses.

Combination with traditional scanning

Cloud infrastructure can be scanned from the internet using cloud scanners, or from the inside using a Scanner Appliance. This means that for example, an EC2 (in AWS) resource running a virtual machine can be scanned targeting the IP and scanned through integration with AWS using the product Cloud Scanning. This will require two licenses; one for scanning the IP from the outside, and one for scanning using the integration in the product Cloud Scanning.

If a Device Agent is installed the same policy applies as mentioned under “Device Agent licensed per installation".

AWS cloud resources where a license is applied:

• API Gateway API
• Athena Workgroup
• CloudFront Distribution
• DynamoDB Table
• EC2 Instance
• ECR Repository
• ECS Task Definition
• EFS Filesystem
• EKS Cluster
• Elasticache Cluster
• ELB/ALB/NLB Load Balancer
• EMR Cluster
• Firehose Delivery Stream
• Kinesis Stream
• Lambda Function
• RDS Database Instance
• Redshift Cluster
• S3 Bucket
• Sagemaker Notebook
• SNS Topic
• SQS Queue
• Transfer Server

Azure cloud resources where a license is applied:

• Authorization Policy Assignments
• Authorization Policy Definitions
• Authorization Role Definitions
• Authorization Locks
• Blob Containers
• Compute Virtual Machines
• Compute Disks
• Compute Availability Sets
• Compute Virtual Machine Scale Sets
• CDN Profiles
• Container Registries
• Container Service Managed Clusters
• Insights Activity Log Alerts
• Insights Log Profiles
• Insights Autoscale Settings
• Insights Diagnostics Settings
• Key Vaults
• MySQL Servers
• Network Virtual Networks
• Network Security Groups
• Network Watchers
• Network Load Balancers
• Postgres Servers
• Queues
• Storage Accounts
• SQL Servers
• Security Contacts
• Security Auto Provisioning Settings
• Security Pricing
• Tables
• Web Sites

Google cloud resources where a license is applied:

• Cloud Load Balancers
• Autoscale Instance Groups
• Compute Instances
• Disks
• Key Rings
• Crypto Keys
• Managed DNS Zones
• IAM Policies
• IAM Users
• Service Account Users
• Kubernetes Clusters
• Alert Policies
• Log Sinks
• SQL Instances
• Storage Buckets
• VPC Networks
• Firewalls

Oracle Cloud resources where a license is applied:

• Audit
• Block Storage
• Cloud Guard
• Compute
• Database
• File Storage
• Identity
• Logging and Monitoring
• Networking
• OKE
• Object Store
• Vaults

Other products & services

Organizer

Licensed per installation of Organizer. A customer can have multiple Organizers.

Professional Services

Holm Security Success Program Standard & Holm Security Success Program Standard

Previously called “Premium Support”.

Licensed per customer, accordingly the maximum license number per customer is one.

Holm Security Certification Program

Licensed per attendee (individual) for the certification program.